"Cyberwarfare is like a soccer game with all the fans on the field with you and no one is wearing uniforms,”

- Marshall Lytle, Chief Information Officer of the Joint Staff

PERFECTLY STATED

CHANGING DYNAMICS

Your data is more accessible today. You are only as secure as your weakest partner.

Time and Billing

Software

Case and Client

ManagementE-Discovery

Cybersecurity Software Solutions

DocumentManagement

Local Counsel

CUSTOMER DATA FLOW CHART

Integrity of data security throughout supply chain is cost of doing business across as customers demand secure vendors

Customers

Law Firm

Vendor Vendor Vendor

Communicate your security policies and procedures throughout the supply chain

Identify, quantify, and prioritize security risk related to sharing sensitive data throughout the supply chain (hardware, software, and services)

Cybersecurity

ComplianceRisk Management

CYBER SUPPLY CHAIN RISK MANAGEMENT

Phishing attach

against Fazio Mechanical

Accessing the Target

network

Gained access to vulnerable machines

Installed malware on Point of Sale

terminal

Collected credit card information

from PoS

Moved data out of Target

network

A Google search would have shown vendor portal and a list of HVAC and refrigeration companies and a Microsoft case study of Target’s architecture

40 million credit and debit cards and 70 million records of personal information

TARGET CASE STUDY

THREE PILLARS OF SUPPLY CHAIN THREATS

People / Employees

Services

Products

What employees have access to my data? Have you completed an in-depth screening of each employee?

Can you adequately protect my assets and personnel?

What technologies are used in your products? Is my data being shared with your third-parties (4th Party Risk)?

BEST PRACTICES – ROAD MAP

Identify ALL vendors in supply chain

Create the right questions based on the risk level & role of the vendor

Translate areas of risk into the contract Terms and Conditions

Catalog vendors by criticality to business

Score results and communicate with business units for transparency

1

2

Automate Reassessment to ensure compliance – enforce audit clause

6

3

5

4

CREATING VENDOR INVENTORY

Expanded definition of vendor Include all third parties that

touch your networks, components or information systems

Vendors that provide physical security and support services (executive protection, janitorial, CCTV)

Determine data access and business criticality

Tier 1

Real-time

risk

priorities Tier 2

High Criticality Business Critical Systems

Tier 3 Medium Criticality

Tier 4 Low Criticality

WHAT INFORMATION IS RELEVANT

Depending on the data access and criticality of your vendor, the security assessment should be customized to meet your firms’ policies, compliance requirements and best practices

Key Security Domains Business continuity/disaster

management Personnel security System development Application security Overall system security Network security Data security and Life Cycle

Management Access control (physical and cyber) Vulnerability management Change Management Third Party Vendors

DEVELOPING THE CONTRACT

Translate results in Terms and Conditions of contracts How the vendor should handle your data What employees should have access and background checks for new

employees Evaluation requirement of components and/or technologies used in

their products Patch update notification requirements before deployment Breach notification clauses

HOW FREQUENTLY SHOULD THIS BE COMPLETED

Baseline Security

AssessmentAnnual

ReassessmentReal-Time

Critical Updates

Ad Hoc Vendor Audits

The organization that shares the data has the ultimate right to control who has access to the data and how frequently you evaluate their security

CONCLUSION

Vendors typically need you more than you need them Complete assessments on a regular basis Require 3rd Party Risk Assessment by your vendors (your 4th party) Enforce your audit clause to validate compliance

Ensure background checks and training are completed by your vendors that have customer information

Set a policy, stick with it, and communicate to all stakeholders

CONTACT INFORMATION

Ishan GirdharChief Executive Officer

ishan.girdhar@privva.com+1 (443) 800 – 3499

www.privva.com